CS 483 Software Security Final Exam

Confidentiality

Ensuring that information is only accessible to those authorized to access it. Example: Encryption of emails to prevent unauthorized access.

Integrity

Ensuring data is accurate and unaltered. Example: Checksums used to detect corrupted files.

Availability

Ensuring systems and data are accessible when needed. Example: Redundant servers for uptime.

Non-repudiation

Guaranteeing that a party cannot deny the authenticity of their signature on a message. Example: Digital signatures.

Authentication

Verifying the identity of a user or system. Example: Username and password login.

Authorization

Granting access to resources based on identity. Example: Admin-only pages.

Audit

Tracking actions for accountability. Example: Logging file access events.

Reverse Engineering

Analyzing software to discover its components and workings. Example: Decompiling to study malware.

Code Obfuscation

Transforming code to make it difficult to understand. Example: Renaming variables to meaningless names.

Code Obfuscation Techniques

Includes renaming, control flow obfuscation, and string encryption.

Minimal Attack Surface

Reducing the number of potential entry points. Example: Disabling unused services.

Least Privilege

Granting only necessary access rights. Example: Running apps without admin rights.

Defense-in-Depth

Using multiple layers of security. Example: Firewall + Antivirus + IDS.

Fail-Safe Stance

System fails in a secure way. Example: Locking out users on suspicious activity.

Secure by Default

Systems are secure out of the box. Example: Disabled remote access by default.

Separation of Duties

Splitting responsibilities to prevent abuse. Example: Different users for review and approval.

Avoidance of Security Through Obscurity

Not relying on secrecy alone for security. Example: Using tested encryption instead of custom algorithms.

Robust Resource Management

Properly allocating and releasing resources. Example: Avoiding memory leaks.

Forensic Readiness

Preparing for investigation. Example: Log retention policies.

Security Features ≠ Security

Having features doesn't ensure security. Example: Login page with poor password storage.

Overriding

Subclass modifies behavior of parent method. Application: Customizing methods.

Polymorphism

One interface, many implementations. Application: Multiple classes responding to same method

Dynamic Binding

Method call resolved at runtime. Application: Flexibility in object behavior.

Malicious Overriding

Overriding methods for harmful behavior. Example: SafeManager override hides logs.

Integer Overflow

Value exceeds max limit of type. Example: Adding 1 to 2^31-1 in C causes overflow.

Integer Overflow in Java

Java allows overflow silently. Example: `int x = Integer.MAX_VALUE + 1`.

Integer Overflow in C

Can lead to vulnerabilities like buffer overflows.

Fuzzing

Automated testing using invalid/random input. Example: Finding crash bugs in parsers.

Random Testing

Sending random inputs to software to find bugs.

What Can Be Fuzzed

Any input interface: files, protocols, APIs

Generation-based Fuzzers

Create inputs based on a model/schema. Example: XML fuzzer.

Mutation-based Fuzzers

Mutate existing valid inputs. Example: AFL.

American Fuzzy Lop (AFL)

Popular mutation-based fuzzer with coverage guidance.

SQL Injection

Inserting malicious SQL code in inputs. Example: ' OR '1'='1.

Common SQL Injection Attacks

Bypass login, extract data, modify tables.

SQL Injection Prevention

Use prepared statements and input validation.

Waterfall vs Agile

Waterfall is linear; Agile is iterative. Agile allows faster security feedback.

Why Vulnerabilities Exist

Poor coding lack of reviews, rushing to release.

Adversary Perspective

Designing from attacker’s view. Example: Think like hacker to secure APIs.

Threat-Driven Development

Security based on predicted threats.

Threat Modeling

Structured approach to identifying threats. Tools: DFDs, STRIDE, Attack Trees

DFDs

Data Flow Diagrams represent data movement. Helps identify trust boundaries.

STRIDE

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

Attack Trees

Visualize paths an attacker could take.

DREAD

Damage, Reproducibility, Exploitability, Affected users, Discoverability